BreachExchange mailing list archives
The importance of cyber due diligence in M&A transactions
From: audrey () riskbasedsecurity com (Audrey McNeil)
Date: Thu, 25 Feb 2016 18:36:12 -0700
http://www.lexology.com/library/detail.aspx?g=24153ebd-af81-4826-ad35-06de9bad88ce The number of M&A transactions in 2015 has hit record highs, with volumes expected to increase by 11% from 2014, according to Bloomberg. Indeed, one of the hottest areas for M&A activity has been cybersecurity companies, with deals including AVG Technologiesâ acquisition of Privax and Blue Coat systemsâ acquisition of Perspecsys. Cybersecurity is one of the top five business risks identified by major corpoÂrates, particularly those in retail, health, and technology. Every day, we read of a new data breach somewhere in the world. In this environment, one would assume that buyers would undertake detailed cyber due diligence as a matter of course. However, this does not seem to be the case. Certainly, a survey on cybersecurity in M&A carried out by Freshfields in 2014 indicated that 78% of respondents thought that cybersecurity was not analysed in any detail in their deals. This is despite the same respondents indicating that cybersecurity deficiencies could derail a deal or adversely affect value. Our experience is not dissimilar. Cybersecurity due diligence tends to be unÂdertaken by the in-house IT team of a buyer, if at all. The scope and scale of the due diliÂgence tends to be cursory and high level. The representations and warranties in transaction documents covering cybersecurity tend to be relatively high level and have, until recently, tended to relate to past events â has the target suffered a data breach that has been notified to a regulator or to customers? They may go as far as asking for a warranty that the target has implemented reasonable cybersecurity systems, processes and procedures having regard to the industry that it is in. In very few cases, some sellers may be required to warrant the likelihood of data breaches occurring after completion (or recurring, if historic breaches have been disclosed) â but this seems to be the exception rather than the rule. The question is whether or not this is adequate in the current digital enviÂronment. Would directors of the acquirer be derelict in their duties if their company did no, or only limited, cyber due diligence? Could an acquiring company afford not to undertake cyber due diligence if the target controls or processes valuable data? What would the consequences be if adequate due diligence had not been undertaken prior to the acquisition? Could an acquiring company afford not to undertake cyber due diligence if the target controls or processes valuable data? What would the consequences be if adequate due diligence had not been undertaken prior to the acquisition? We know that the occurrence of a cyÂbersecurity breach in the lead-up to an acÂquisition is not unusual. In a well-known inÂcident in January 2015, Australian incumbent Telstra discovered after completing its acquiÂsition of pan-Asian network provider PacNet, that sometime after signature but before completion, PacNetâs corporate IT systems had been compromised, meaning it was likely customer information had been stolen. To its credit, Telstra notified affected customers of the likely compromise as soon as it became aware of the incident, so that they could take steps to protect themselves. Of course, there are situations in which it is difficult to carry out cyber due diligence, particuÂlarly in a hostile or a competitive sale process. But in many cases, acquirers are simply not taking enough steps to understand the cybersecurity risks facing their targets, and how they might adÂdress cyber-security issues post acquisition. Why might cyber-security not be prioritized in a transaction? A study carried out in 2014 by NERA Economic Consulting found that cyber inciÂdents do not appear to impact share prices sigÂnificantly in the medium to long term. And even where there is a drop, it often does not take long for the share price to recover. The table on page 40 illustrates this. Whether this trend will continue reÂmains to be seen. But it certainly appears that in recent history, the correlation between a cybersecurity incident and the share price is weak, at least in relation to listed companies for which the data is readily available. Looking at some recent data, the share price of TalkTalk fell dramatically after the data breach announced on 22 October, and has since been very volatile. The fact that this was TalkTalkâs third data breach in 2015 may have been a contributing factor. It is true that there seemed to be little effect on TalkTalkâs share price in the months following the previous two data breaches, in February and August. THE SEVEN PILLARS OF CYBER RESILIENCE GOVERN Ensure that your governance bodies have taken the proper steps to ensure that the organisation is cyber-resilient and to protect it against cyber-risks and threats KNOW Know the data you hold, the value of that data, and how well it is being protected. REVIEW Review and test the adequacy of your cyber-reilience processes, procedures and systems. IMPROVE Identify areas of weakness and improve your cyber-resilience processes, procedures and systems. PROTECT Take steps to ensure that your organisation actually impleÂments the processes and procedures which have been established and improved RESPOND Activate incident management plans immediately to address the situation RECOVER Have plans and mechanisms in place to recover as swiftly as possible from a cybersecurity incident and to draw key learnings from the incident. What is the value of Cyber Due Diligence? A good cyber due diligence report will take a holistic view (using, for example, our 7 Pillars methodology below) of the targetâs cyber-resilience posture. This is important because cyber-resilience is not just an IT issue, it is a business and a risk issue. The fact that an organisation treats cyber-reÂsilience just as an IT issue will tell you something significant about its level of maturity. In our view, a good cyber due diligence investigation should be carried out by business, legal and techÂnical advisers, to obtain a holistic view of the targetâs overall cyber-resilience. Broadly speaking, a cyber due dilÂigence should determine whether the target has inadequate cyber-resilience protections. If the protections are inÂadequate, it follows that there will be a reasonable likelihood that the targetâs systems may have been or will shortly be comÂpromised. This is important because: it allows the buyer to determine whether the valuation needs to be disÂcounted for this risk. If, for example, the target is an intellectual properÂty-rich company, and it is the intellectual property that is valuable, then one must conÂsider the possibility that the intellectual property has been stolen, meaning that the targetâs exclusivity or trade secrets may have been compromised; if the target processes credit card transactions and is not PCI-DSS comÂpliant, then a buyer must factor in the posÂsibility of significant fines from the card schemes, the risk of investigations and audits, and possibly a loss of the ability to process card payments until the situation is rectified; a buyer may also need to value the regulatory risk, customer compensation costs and the cost of remediation should there have been a data breach; and at the very least, the buyer knows it must prioritise a full and detailed cyber-resilience review and improvement program post-acÂquisition, and should perhaps discount the purchase price or obtain indemnities for the cost of doing so. If, however, cyber due diligence indiÂcates that the target has taken reasonable and industry standard steps to ensure that it is cyber-resilient, and there are no warning signs that would indicate that the target may have been compromised, then the buyer can be confident that there is no need to adjust valuations and can instead focus on normal integration post-acquisition. In this instance, there is no necessary rush to carry out a full and detailed cyber-resilÂience review and improvement program. Of course, a buyer must recognise that a clean cyber due diligence report cannot guarantee that the targetâs systems have not been comÂpromised, so it is helpful to have a continÂgency plan in place. A good cyber due diligence report will also enable the buyer to make decisions (and potentially gain leverage) in relation to: seeking and obtaining appropriate warranÂties as to the targetâs level of cyber-resilience; obtaining a specific cyber-security indemÂnity that sits outside the normal baskets and limits and covers the costs of investigation, remediation, regulatory action and customer compensation, should there be a cyber inciÂdent, which has its origins in an act or omisÂsion of the target before completion; whether or not the occurrence of a cyber incident between signing and completion should be material adverse change, entitling you to terminate the sale agreement, should you be undertaking a split signing and comÂpletion; and obtaining a warranty and indemnity (W&I) insurance policy, should the acquirÂing company or vendor be seeking to obtain one, as it is becoming increasingly difficult for underwriters to cover broad cyber-warÂranties that may extend to the adequacy or sufficiency of systems in place or indeed to future breaches, without an appropriate cyÂber due diligence exercise. The latter point is of particular interest. Underwriters may not have had particular issues with covering warranties in M&A transÂactions that referred only to historic breaches. But as Andrew Graham, Vice-President of the International Mergers and Acquisition Division at Allied World Assurance Company informed the present authors: âWe do not see a great deal of speÂcific due diligence done in cybersecurity at present. I wonder whether this is beÂcause not all law firms have the necessary expertise to advise appropriately on cyÂbersecurity issues. From an underwriterâs perspective on W&I deals, as warranty protection around cybersecurity increases, we may find ourselves in the position, on certain deals, that we will need to see tarÂgeted and appropriate due diligence underÂtaken by the insured so that we can adeÂquately wrap up such risk within the scope of the W&I policy.â Click here to view the table. Why should cyber due diligence be a focus in telecoms M&A? Telecoms companies are not immune from cybersecurity issues. On the contrary, they are perhaps more vulnerable to cyber-reÂlated threats, as the TalkTalk incident shows. Perhaps more importantly, telecoms comÂpanies are, in many cases, subject to a higher level of scrutiny by regulators due to their unique position of operating the networks and services over which a large proportion of internet data flows. Telecoms companies are, in many cases, subject to a higher level of scrutiny by regulators due to their unique position of operating the networks and services over which a large proportion of internet data flows. In Europe, providers of electronic communications services are typically required to ensure that their services are secure (see EU Directive 2002/58/EC). They must also inform their national regÂulatory authority of any personal data breach within 24 hours and, if the perÂsonal data or privacy of a user is likely to be harmed, they must also be informed unless specifically identified technological measures have been taken to protect the data. Many communications providers are also required to retain data relating to communications over their networks (although the extent to which this is reÂquired differs from country to country after a series of judicial challenges to data retention laws). Requirements to coopÂerate with law enforcement authorities can often mean that telecoms companies have access to particularly sensitive stores of data that may include telephone reÂcordings, email records and details of other internet communications and web traffic. But they must still comply with their data protection and privacy obligaÂtions in respect of the data they handle. For these reasons, there may be greater regulatory consequences in the event that a telecoms industry target is affected by a cybersecurity breach, and there will ordiÂnarily need to be a high degree of maturity in terms of the targetâs cyber-resilience. Conclusion Cyber threats are here to stay. Organisations need to be vigilant in ensuring that they are cyber-resilient and to take appropriate steps to do so. They must do so within their own business operations, and also in relation to busiÂnesses they acquire. Forewarned is, in the cyber world, forearmed. And it is crucial to be forearmed in telecoms M&A. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160225/a05efd6a/attachment-0001.html>
Current thread:
- The importance of cyber due diligence in M&A transactions Audrey McNeil (Feb 25)